Z-Downloads < 1.11.6 – Unauthenticated Stored XSS | CVE 2024-8703

Description

The plugin does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs.

Proof of Concept

Since this is a XSS vulnerability, two roles are required: authenticated administrator and unauthenticated adversary.

1. Log into the administrator account that has access to the Z-Downloads plugin.
2. Upload any file to the plugin using its functionality. 
3. Retrieve the Share URL for the download that can be distributed to other users.
4. Start a proxy using a tool such as Burp Suite and start intercept traffic (unauthenticated).
5. Open the proxy browser and access the Share URL. 
6. In the captured request, insert the following payload into the User-Agent HTTP header: `<script>alert(1)</script>`
7. Forward the request.
8. Head back to the administrator account and navigate to the Z-Downloads Logs page.
9. Observe that there is a new "download file" entry in the logs.
10. Click on this log entry to show more details and see the XSS alert.